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Abstract 

Rabi, Rivest, and Sherman alter the standard notion of noninvcrtibility to a new 
notion they call strong noninvertibility, and show — via explicit cryptographic protocols 



for secret-key agreement ( | RS93 , RS97 attribute this to Rivest and Sherman) and digi- 
tal signatures [RS93 RS97] — that strongly noninvertible functions would be very useful 
components in protocol design. Their definition of strong noninvertibility has a small 
twist ("respecting the argument given") that is needed to ensure cryptographic useful- 
ness. In this paper, we show that this small twist has a large, unexpected consequence: 
Unless P = NP, some strongly noninvertible functions are invertible. 

Topic: Computational and Structural Complexity. 

1 Introduction 

Rabi, Rivest, and Sherman developed novel cryptographic protocols that require one-way 
functions with algebraic properties such as associativity (see [ RS93 , R~S97f and the attri- 



butions and references therein, esp. |j5he86|JKRS88|l ). Motivated by these protocols, they 



initiated the study of two-argument (2-ary, for short) one-way functions in worst-case cryp- 
tography. To preclude certain types of attacks, their protocols require one-way functions 
that are not invertible in polynomial time even when the adversary is given not just the func- 
tion's output but also one of the function's inputs. Calling this property of one-way functions 
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"strong noninvertibility" (or "strongness," for short), they left as an open problem whether 
there is any evidence — e.g., any plausible complexity-theoretic hypothesis — ensuring the ex- 
istence of one-way functions with all the properties the protocols require, namely ensuring 
the existence of total, commutative, associative one-way functions that are strongly nonin- 
vertible. This problem was recently solved by Hemaspaandra and Rothe [HR99] who show 
that if P 7^ NP then such one-way functions do exist. 

Unfortunately, Hemaspaandra and Rothe [HR99] write: "Rabi and Sherman [ RS97 | also 
introduce the notion of strong one-way functions — 2-ary one-way functions that are hard to 
invert even if one of their arguments is given. Strongness implies one-way-ness." The latter 
sentence could be very generously read as meaning "strong, one-way functions" when it 
speaks of "strongness," especially since strongness alone, by definition, does not even require 
honesty, and without honesty the sentence quoted above would be provably, trivially, false. 
However, a more natural reading is that [HR9S] is assuming that strongly noninvertible 
functions are always noninvertible. The main result of the present paper is that if P 7^ NP 
then this is untrue. So, even when one has proven a function to be strongly noninvertible, 
one must not merely claim that noninvertibility automatically holds (as it may not), but 
rather one must prove the noninvertibility^ 

In the present paper, we study appropriately honest, polynomial-time computable 2-ary 
functions. We prove that if P 7^ NP then there exist strongly noninvertible such functions 
that are invertible (see Section [2] for precise definitions) . This is a rather surprising result 
that at first might seem paradoxical. To paint a full picture of what happens if P 7^ NP, 
we also show the (nonsurprising) result that if P 7^ NP then there exist appropriately 
honest, polynomial-time computable 2-ary functions that are noninvertible, yet not strongly 
noninvertible. 

So, why is the surprising, paradoxical-seeming result (that if P 7^ NP then some strongly 
noninvertible functions are invertible) even possible? Let us informally explain. Let a be a 2- 
ary function. We say a is noninvertible if there is no polynomial-time inverter that, given an 
image element z of a, outputs some preimage of z. We say a is strongly noninvertible if even 
when, in addition to any image element z of a, one argument of a is given such that there 
exists another string with which this argument is mapped to z, computing one such other 
argument is not a polynomial-time task. So, why does strongness alone not outright imply 
noninvertibility? One might be tempted to think that from some given polynomial-time 
inverter g witnessing the invertibility of a one could construct polynomial-time inverters g\ 
and 52 such that gi inverts a in polynomial time even when the ith argument is given (see 
Definition |2.2| for the formal details). This approach does not work. In particular, it is not 
clear how to define g± when given an output z of a and a first argument a that together 
with a corresponding second argument is mapped to z, yet a is not the first component 

since m ]HR99| only strong noninvertibility is explicitly proven, one might worry that the funct ions 
constructed in its proofs may be invertible. Fortunately, the constructions in th e proo fs in HR9£ | do 
easily support and implicitly give noninvertibility as well; thus, all the claims of [ HR9S[ remain correct. 
Most crucially, on page 654 of |HR9£], inverting the output (x,x) in polynomial time would give strings 
containing one witness for membership of x in the given set in NP — P (if there are any such witnesses), 
which is impossible. 
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of g(z). (In fact, our main theorem implies that no approach can in general accomplish the 
desired transformation from g to gi, unless P = NP.) 

But then, why don't we use a different notion of strongness that automatically implies 
noninvertibility? The answer is that the definitional subtlety that opens the door to the 
unexpected behavior is absolutely essential to the cryptographic protocols for which Rabi, 
Rivest, and Sherman created the notion in the first place. For example, suppose one were 
tempted to redefine "strongly noninvertible" with the following quite different notion: a 
is "strongly noninvertible" if, given any image element z of a and any one argument of a 
such that there exists another string with which this argument is mapped to z, computing 
any preimage of z (as opposed to "any other argument respecting the argument given" ) is 
not a polynomial-time task. The problem with this redefinition is that it completely loses 
the core of why strongness precludes direct attacks against the protocols of Rabi, Rivest, 
and Sherman. We will call the just-defined notion "overstrongness," as it seems to be 
overrestrictive in terms of motivation — and we will prove that if P ^ NP then overstrongness 
indeed is a properly more restrictive notion than strongness. 

2 Definitions 

Fix the binary alphabet £ = {0, 1}. Let e denote the empty string. Let (•, •) : £* x £* — > S* 
be some standard pairing function, that is, some total, polynomial-time computable bijec- 
tion that has polynomial-time computable inverses and is nondecreasing in each argument 
when the other argument is fixed. Let FP denote the set of all polynomial-time computable 
total functions. The standard definition of one-way-ness used here is essentially due to 
Grollmann and Selman | GS88| (except that they require one-way functions to be one-to- 



one); as in the papers lRS9^ , pR99t|Hom0q| , their notion is tailored below to the case of 
2-ary functions. 



Definition 2.1 |GS8|,pS97|,pR99| Let p : S* x S* -> S* be any (possibly nontotal, 



possibly many-to-one) 2-ary function. 

1. We say p is honest if and only if there exists a polynomial q such that: 

(Vz € image(p)) (3 (a, b) e domain^)) [\a\ + \b\ < q(\z\) A p(a,b) = z]. 

2. We say p is (polynomial-time) noninvertible if and only if the following does not hold: 

(3g e FP) (Vz G image(p)) [p{g{z)) = z]. 

3. We say p is one-way if and only if it is honest, polynomial-time computable, and 
noninvertible. 

We now define strong noninvertibility (or strongness), which is a stand-alone property 
(i.e., with one-way-ness not necessarily required) of 2-ary functions. If one wants to discuss 
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strongness in a nontrivial way, one needs some type of honesty that is suitable for strongness. 
To this end, we introduce below, in addition to honesty as defined above, the notion of s- 
honesty]^] 



Definition 2.2 (see, essentially, ^S97| , pR99[| ) Let a : S* x S* -> S* be any (possibly 



nontotal, possibly many-to-one) 2- ary function. 

1. We say a is s-honest if and only if there exists a polynomial q such that both (a) 
and (b) hold: 

(a) (Vz, a : (3b) [a (a, b) = z}) (3b') [\b'\ < q(\z\ + \a\) A a(a, If) = z] . 

(b) (Vz, b : (3a) [a(a, b) = z}) (3a 1 ) [\a'\ < q(\z\ + |6|) A a(a', b) = z]. 

2. We say a is (polynomial-time) invertible with respect to the first argument if and 
only if 

(3gi 6 FP) (Vz G image(cr)) (Va, b : (a, b) 6 domain((r) A a(a, b) = z) 
[a(a,g 1 ((a,z))) = z). 

3. We say a is (polynomial-time) invertible with respect to the second argument if and 
only if 

(3<72 G FP) (Vz E image(cr)) (Va, b : (a, b) £ domain(o") A a (a, b) = z) 
[a(g 2 ((b,z)),b) = z]. 

4- We say a is strongly noninvertible if and only if a is neither invertible with respect 
to the first argument nor invertible with respect to the second argument. 

5. We say a is strongly one-way if and only if it is s-honest, polynomial-time computable, 
and strongly noninvertible. 

It is easy to see that there are honest, polynomial-time computable 2-ary functions that 
are not s-honest ,f\ and that there are s-honest, polynomial-time computable 2-ary functions 
that are not honest .0 

For completeness, we also give a formal definition of the notion of overstrongness men- 
tioned in the last paragraph of the introduction. Note that overstrongness implies both 
noninvertibility and strong noninvertibility. 

2 The strongly noninvertible functions in |HR99|1 c learly are all s-honest, notwithstanding that s-honesty 
is not explicitly discussed in |HR99| (or ]RS97| , |RS93t ). 



3 For example, consider the function p : E* x E* -» E* defined by p(a,b) = iRogiog(max(|6|,a))l if a = o, 
and p(a, b) = ab if a ^ 0. This function is honest (as proven by p(e, x) = x) but is not s-honest, since for 
any given polynomial q there are strings b G E* and z = iriogiog(max(|&|,2))l p(0,6) = z, but the smallest 
b' e E* with (0(0,6') = z satisfies \b'\ > q(\z\ + |0|) = g(floglog(max(|6|, 2))] + 1). 

4 For example, consider the function <r : E* x E* — > E* that is defined by a(a,b) = in°gi°g(™*(M,2))l if 
a I — \b\, and that is undefined otherwise. This function is s-honest but not honest. 
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Definition 2.3 Let a : E* x £* — > S* 6e any (possibly nonfatal, possibly many-to-one) 2- 
ary function. We say a is overstrong if and only if for no f G FP with f : {1, 2} X S* X E* — > 
S* x S* does it ZioW i/iai /or eac/i i 6 {1, 2} and /or strings z,a G £*: 



((36 € S*)[(<r(a, 6) = 2 A i = 1) V (<r(6, a) = z A i = 2)]) 



o-(f(i,z,a)) 



z. 



3 On Inverting Strongly Noninvertible Functions 



It is well-known (see, e.g., |Sel92| , [BDG95[1 ) that 1 -ary one-way functions exist if and only if 
P ^ NP; as mentioned in [HR9S. RS97] ], the standard method to prove this result can also 
be used to prove the analogous result for 2-ary one-way functions. 



Theorem 3.1 (sec [HR99.RS97]) P ^ NP if and only if fatal 2-ary one-way functions 
exist. 



Now we show the main, and most surprising, result of this paper: If P ^ NP then one 
can invert some functions that are strongly noninvertible. 

Theorem 3.2 J/P 7^ NP then there exists a total, honest 2-ary function that is a strongly 
one-way function but not a one-way function. 



Proof. Assuming P ^ NP, by Theorem 3.1 there exists a total 2-ary one-way function p. 
Define a function a : S* x E* — > £* as follows: 



a(a, b) 



' Op(x, y) if (3x, y,z£ £*) [a = l(x, y) A b = Oz] 

Op(y, z) if (3x, y, z G £*) [a = Ox A b = l(y, z)} 

Ixy if (3x, y G £*) [(a = Ox A b = Oy) V (a = lx A 6 = ly)] 

a6 if a = e V 6 = e. 



It is a matter of routine to check that a is polynomial-time computable, total, honest, 
and s-honest (regardless of whether or not p, which is honest, is s-honest). 

If one could invert a with respect to one of its arguments then one could invert p, 
contradicting that p is a one-way function. In particular, supposing a is invertible with 
respect to the first argument via inverter g\ G FP, we can use g\ to define a function g G FP 
that inverts p. To see this, note that given any w G image(p) with w ^ e, <?i((0, Qw}) must 
yield a string of the form b = l{y, z) with p(y, z) = w. Thus, a is not invertible with respect 
to the first argument. An analogous argument shows that a is not invertible with respect 
to the second argument. Thus, a is strongly noninvertible. However, a is invertible, since 
every string z G image(a) has an inverse of the form (e, z)\ so, the FP function mapping 
any given string z to (e, z) is an inverter for a. Hence, a is not a one-way function. | 



The converse of Theorem 3.2 immediately holds, as do the converses of Proposition 
Corollary ET5|, and Theorems 13.41, 13.61, and 



However, although all these results in fact 



are equivalences, we will focus on only the interesting implication direction. 
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For completeness, we mention in passing that, assuming P 7^ NP, one can construct 
functions that — unlike the function constructed in the proof of Theorem |3.2| — are strongly 
one-way and one-way. An example of such a function is the following modification a of the 



function a constructed in the proof of Theorem [3^. As in that proof, let p be a total 2-ary 



one-way function, and define function a : E* x E* — > E* by 

Op(x, y) if (3x, y,z E E*) [a = l(x, y) A b = Oz] 
a(a,b) = { Op(y,z) if (3x, y,z £ E*) [a = Ox A b = l(y, z)\ 
lab otherwise. 

Note that a even is overstrong; hence, a is both noninvertible and strongly noninvertible. 
That is: 

Proposition 3.3 If P 7^ NP then there exists a total, honest, s-honest, 2-ary overstrong 
function. (It follows that ifP^ 1 NP then there exists a total 2-ary function that is one-way 
and strongly one-way.) 

Corollary below shows that if P 7^ NP then there is an s-honest 2-ary one-way 
function that is not strongly one-way. First, we establish a result that is slightly stronger: 
For a function to be not strongly noninvertible, it is enough that it is invertible with respect 



to at least one of its arguments. The function a to be constructed in the proof of Theorem 3.4 
below even is invertible with respect to each of its arguments. 

Theorem 3.4 J/P 7^ NP then there exists a total, s-honest 2-ary one-way function a such 
that a is invertible with respect to its first argument and a is invertible with respect to its 
second argument. 



Proof. It is well-known ( |Sel92 , Prop. 1], in light of the many-to-one analog of his comment 



HSel92 , p. 209] about totality) that under the assumption P 7^ NP there exists a total 1-ary 



one-way function p : E* — > E*. Define a function a : E* x E* —* E* as follows: 

, , s / lp(a) if a = b 
a{a ' b) = \0ab if a + b. 

Note that a is polynomial-time computable, total, s-honest, and honest. If a were invertible 
in polynomial time then p would be too; so, ex is a one-way function. However, a is invertible 
with respect to each of its arguments. For an inverter with respect to the first argument, 
consider the function g\ : E* — » E* defined by 

{b if (3a, b,z = (a, Oz) A z = ab] 

a if (3a, z E E*) [x = (a, lz)] 
e otherwise. 

Clearly, g\ E FP. Note that for every y E image(o") and for every a E E* for which there 
exists some b E E* with a(a,b) = y, it holds that a(a,g\((a,y))) = y, completing the proof 
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that a is invertible with respect to the first argument. To see that a also is invertible 
with respect to the second argument, an analogous construction (with the roles of the first 
and the second argument interchanged) works to give an inverter g2 for a fixed second 
argument. | 

Corollary 3.5 If P ^ NP then there exists a total, s-honest 2-ary one-way function that 
is not strongly one-way. 

One might wonder whether functions that are not strongly noninvertible (which means 
they are invertible with respect to at least one of their arguments) outright must be invertible 
with respect to both of their arguments. The following result states that this is not the 
case, unless P = NP. 

Theorem 3.6 //P / NP then there exists a total, s-honest 2-ary one-way function that is 
invertible with respect to one of its arguments (thus, it is not strongly one-way), yet that is 
not invertible with respect to its other argument. 



Proof. Assuming P 7^ NP, by Theorem 3.1 there exists a total 2-ary one-way function 



call it p. Since our pairing function is onto and one-to-one, and its inverses are efficiently 
computable, the functions — 7Ti and TT2 — mapping from each string in X* to that string's first 
and second components when interpreted as a pair are well-defined, total, polynomial-time 
functions; for all b G £*, b = (711(6), 7^(6)). Define a function a : X* x X* — > X* as follows: 

a(a,b) = p(7ri(&),7r 2 (6)) 

It is clear that a is honest (via p's honesty) and s-honest. Let a$ be any fixed string, 
and define g^{w) = ao f° r an strings w. Clearly, g2 £ FP. The definition of a implies 
that for each z = p(x, y) £ image(cr) and for each b € X* such that a (a, b) = z for some 
a € X*, it also holds that a(ao,b) = z. Thus, a is invertible with respect to the second 
argument via g<i- However, if a were also invertible with respect to the first argument via 
some function g\ £ FP, then g\ could be used to invert p, which would contradict the 
noninvertibility of p. Hence, a is invertible with respect to its first, yet not with respect to 
its second argument. Analogously, we can define a function that is invertible with respect 
to its second argument, yet not with respect to its first argument. | 



Finally, let us turn to the notion of overstrongness (see Definition 2.3) mentioned in 
the last paragraph of the introduction. As noted there, this notion is not less restrictive 
than either noninvertibility or strong noninvertibility, and so if a given polynomial-time 
computable, honest, s-honest function is overstrong then it certainly is both one-way and 
strongly one-way. Notwithstanding the fact that — as we have argued — overstrongness is not 



well-motivated by the cryptographic protocols of Rabi, Rivest, and Sherman [RS97], for the 



purpose of showing that the notions do not collapse, we will prove that the converse does 
not hold, unless P = NP. 
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Theorem 3.7 IfP ^ NP then there exists a total, honest, s-honest 2-ary function that is 
noninvertible and strongly noninvertible but that is not overstrong. 



Proof. Assume P 7^ NP. It is known (see | Sel92|j ) that this assumption implies that 
total 1-ary one-way functions exist. Let p be one such function, and let p be such that it 
additionally satisfies (3r > 2) (Vcc G £*) [|jo(x)| = |x| r + r]. Henceforth, r will denote this 
value r. That this condition can be required follows easily from the standard "accepting- 
paths-based" proofs that P 7^ NP implies the existence of total 1-ary one-way functions. 
Define a total function p : £* — > £* as follows: 



p(a) 



lp{x) if (3s G £*) [a = lx] 
a if (3s G £*) [a = Ox] 
e if a = e. 



Note that p is a 1-ary, total one-way function satisfying that for each i > 0, p(0* 
define the total function a : £* x £* — > £* as follows: 



0\ Now 



<r(a, b) 



l(p(x),QM) 
l(p(x),0H) 
l(p(x),0H) 
0(a,6) 



if (3s, y G S*) [|x| = |y 
if (3x,y G £*) [|x| = |y 
if (3x,y G £*) [|x| = jy 
otherwise. 



A a = 0(x,y) = b] 

Aa = l(x,0y) A 6 = l(x,lp(y))] 

Aa = l(x,lp(y)) A 6 = l(x,0y)] 



Clearly, cr is polynomial-time computable, honest, s-honest, and commutative. If a were 
invertible, p would be too. Thus, a is a one-way function. 

Note that a is strongly noninvertible, for if it could be inverted with respect to either 
argument then p could be inverted too. Suppose, for example, a were invertible with respect 
to the first argument via inverter g\ G FP. Then p could be inverted as follows. Given any 
z G £*, if there is no k G N with k r + r = \z\, there is no inverse of z under p; so, in that 
case we may output anything. Otherwise (i.e., there is a k G N with k r + r = \z\), run g\ on 
input (a,w), where a = l(0 fc , lz) and w = l(0 k ,0 k ). By the definition of a, if z £ image(p), 
the result of gi((a, w)) must be of the form l(0 fc , Oz) for some preimage z of z under p, and 
we can verify this by running p on input z and checking whether or not p(z) = z. A similar 
argument shows that a is not invertible with respect to the second argument. Hence, a is 
strongly one-way. 

Finally, we claim that a is not overstrong. Here is what an inverter / does when given 
i = 1,0 an alleged first argument a G S* of a, and an alleged output z G H* of a: 



f(l,a,z) 



(x,y) if (3x,ye-Z*)[z = 0{x,y)} 

(a, a) if (3x, y G £*) (3m G N) [a = Ox A z = l(y, m )] 

(0{w, w),Q(w, w}) if (3w, x, y G £*) (3m G N) [a = l(w, Ox) A z = l(y, m )] 

(0<ib, w), 0(w, w)) if (3w, x, y G £*) (3m G N) [a = l(w, lx) A z = l(y, m )j 

(e, e) otherwise. 



3 Since a is commutative, this implicitly also shows how to handle the case i — 2. 
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Note that / G FP. Whenever there exists some string b € S* for which a(a,b) = z, it 
holds that a(f(l,a,z)) = z. (If there is no such b, it does not matter what f(l,a,z) 
outputs.) Hence a is not overstrong. 3 
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